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Customer Privacy 


Respecting our customers” privacy is 
essential to maintaining their trust in 
our business. Managing privacy risks 
effectively — and putting customers 
in control of their data — is core to 
our approach. 


Creating the right culture 


Our privacy policies and framevvork govern 
hovv vve collect, use and manage our 
customers” information in order to ensure vve 
respect the confidentiality of their personal 
communications and any choices that they 
have made regarding the use of their data. 
The protection of personal data is one of 

our highest priorities and is central to the 
Vodafone Code of Conduct that everyone vvho 
vvorks for us (or on our behalf) must follovv, 


“Privacy is central to earning and sustaining 
trust in Vodafone and being a responsible and 
ethical corporate citizen. VVe alvvays consider 
the impact our decisions have on the privacy 
of our customers and employees. V/henever 
vve design producis, launch campaigns, sign 
up vendors, collect information and share 
such information vvith our partners and 
others, vve observe and adhere to 

Vodafone” Privacy Commitments.” 





ALL high-risk policy areas — including the 
protection of privacy — are covered in 
Vodafone”s annual “Doing V/hats Right 
internal communications campaign, vvhich 
raises avvareness of the importance of privacy 
through internal communications, events, 
online articles and vvebinars vvith members of 
the senior leadership team. 


Privacy policy standards 


Vodafone”s Privacy Commitments are 
supported by four privacy policy standards 
that have been developed to address 
specific areas of high privacy risk. The policy 
standards summarised belovv are overseen 
by the Group Executive Committee, vvith 
implementation and local engagement led 
by the Group privacy team. 


Privacy Risk Management Standard 


This policy standard sets out the resources 
and privacy risk control processes that must 
be in place in each of our local markets 

to ensure compliance vvith applicable 

local data protection lavvs as vvell as vvith 
Vodafone”s Privacy Commitments. Those 
control processes include a privacy risk 
İmpact assessment of personal data 
processing activities — at a functional or 
organisational level — of nevv products and 


services, and of nevv suppliers. They also 
require the implementation of a data breach 
management process and a document 
management and retention policy. Privacy 
risks must be logged, and any minimising 
actions are recorded and monitored for 
completion. Regular reporting from the local 
privacy officer to the Group privacy team 
ensures clarity on hovv the processes are 
vvorking at a Local level, 


Netvvork Traffıc Management 
Standard 


This policy standard sets out the limited 
purposes for vvhich our businesses can use 
traffıc management technologies in order 

to help assure the quality of our services. İt 

İs clear that there are limitations on the use 
of such technologies, particularly those that 
may have consequences from a privacy or net 
neutrality perspective. The policy standard 
also addresses the security requirements 

that must be implemented to protect such 
technologies from unauthorised access or use. 


Lavv Enforcement Assistance 
Policy Standard 


This policy standard addresses the balance 
betvveen our customers” right to privacy and 
freedom of expression and the statutory 
requirements to provide lavv enforcement 


assistance either through lavvful intercept 

or retention of communications data. Our 
basic approach is to interpret applicable 

lavvs and demands as narrovvly as is lavvfully 
possible to guard against unvvarranted or 
over-broad disclosure or assistance. For more 
information about the implementation of this 
policy or our approach to vvorking vvith lavv 
enforcement agencies, visit our Digital Riqhts 
and Freedoms Reportinq Centre. 


Permissions Policy Standard 


This policy standard defines the customer 
permissions requlred in order to process 
personal data, and for vvhich purpose. İt is 
designed to ensure clarity in balancing 
internal demands for data analytics against the 
paramount importance of customer privacy. 
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Vodafone”s Privacy Commitments 


Our privacy policies are supported by 
our Privacy Commitments, 

vvhich set out the principles that 
govern our approach to privacy and 
hovv vve seek to build customer trust 
through transparency, empovverment 
and reassurance. 

Our commitment to our customers” privacy 
goes beyond legal compliance. VVe are 
focused on building a culture that respects 
privacy in order to iustify the trust that people 
place in us: 


e Accountability: VVe are accountable for 
Üüving up to these commitments throughout 
Vodafone, including vvhen vvorking vvith our 
partners and suppliers. V/e maintain privacy 
policies and compliance processes that vve 
use to ensure vve live up to these principles. 


Fairness and lavvfulness: VVe comply 
vvith privacy lavvs and act vvith integrity 
and fairness. VVe vvork vvith governments, 
regulators, policy makers and opinion- 
formers to help shape better and more 
meaningful privacy lavvs and standards. 


Privacy-by-design: Respect for privacy is a 
key component in the design, development 
and delivery of our products and services. 


Openness and honesty: İf our actions 
could affect our customers” privacy, vve 
communicate this clearly. VVe ensure our 
actions reflect our vvords, and vve are open 
to feedback about our actions. 


Choice and access: Vle give people the 
ability to make simple and meaningful 
choices about their privacy and allovv them 
— vvhere appropriate — to access, update or 
delete their personal data. 


Responsible data management and 
limited disclosures: VVe apply appropriate 
data management practices to govern 

the processing of personal data. VVe limit 
disclosures of personal data to our partners 
to vvhat is described in our privacy notices or 
to vhat has been authorised by our customers. 


Balance: VVhen vve are required to balance 
the right to privacy against other obligations 
necessary to a free and secure society, vve 
vvork to minimise privacy impacts. 


Security safeguards: V/e implement 
appropriate technical and organisational 
measures to protect personal data 
against unauthorised access, use, 
modification or loss. 











Vodafone Group Plc Digital Rights and Freedoms 


Customer Privacy 





Privacy-by-design and 
by default 


VVe seek to ensure that privacy is built into our 
products and services by design. VVe conduct 
a privacy and legal impact assessment for all 
nevv products and services, together vvith an 
analysis of any associated data processing 
activity such as billing. These impact 
assessments are conducted by the relevant 
expert teams — at Group and Local market 
level — to ensure compliance vvith the lavv and 
to identify any remedial actions required early 
in the design process to address potential 
consequences for customers. For example, the 
assessment process for enterprise products, 
services and technologies is overseen by 

the Vodafone Global Advisory Forum, vvhose 
members are relevant internal experts from 
across the business such as privacy, security, 
regulatory and business teams. 


During 2015-16, vve focused on developing a 
standardised approach to the collection and 
use of personal data through Vodafone:s ovvn 
branded apps, using the MyVodafone app asa 
case study. The installation process involved 
the use of clearly vvorded privacy notices, 
consent buttons and permissions settings to 
ensure customers vvere avvare of hovv their 
personal data vvould be used by Vodafone. 
For example, diagnostic connection data from 
customer devices is used to help optimise 
netvvork performance. 


Managing privacy risks 

Risk management is central to our approach 
to privacy. To help us identify and manage 
emerging risks, vve assess the implications 
of our business strategy, nevv technologies, 
customer concerns and relevant industry 
developments. Our response to the 
identification of nevv privacy challenges 
may include investing in nevv capabilities or 
technologies, revising policies or vvorking 
through associations such as the GSMA to 
influence others in our industry. VVe engage 
regularly vvith external stakeholders and dravv 
on their expertise to help shape our strategy 
and respond to their concerns. 


The vvork of the Group privacy team is 
supported by three areas of activity designed 
to ensure compliance vvith all of Vodafone”s 
rules related to risk management, including 
privacy risks. These are: 


1.The Group”s internal audit function, 
in vvhich experienced auditors conduct 
a detailed analysis of a particular aspect 
of Vodafone:"s business and make 
recommendations for action vvhich 
are communicated to the Group 
Executive Committee, 


2.Annual policy compliance revievvs 
(PCRs) conducted for each high-risk policy 
area, including privacy. For each local 
market, three specific controls are assessed 


and the local compliance officer in each 
country collects specifled evidence that 
demonstrates hovv those three controls 
are being implemented, and 


3. Privacy “deep dives”. A “deep dive” analysis 
is also conducted each year in tvvo or 
three local markets, this involves an onsite 
compliance revievv during vvhich all privacy 
risk control processes are assessed. 


Managing operational risks 


Each privacy officer in our local markets 
uses our Privacy Risk Management System 
(explained here) to ensure our Privacy 
Commitments are delivered at operational 
level in each country in vvhich vve operate. 
Our Group privacy team has oversight over 
the privacy officers in each of our local 
markets. This Privacy Risk Management 
System provides a common framevvork for the 
assessment of — and further improvements 
to — our privacy programmers across the 
Group, vvhile allovving the flexibility to 
respond to Local privacy concerns, legal 
requirements or stakeholder expectations. 


Examples of hovv vve ensure each local 
market manages their customers” data 
appropriately include: 


e maintaining a personal information location 
register stating vvhere customer data is 
located, vvith a robust process to keep this 
register up to date, 


managing supplier privacy risk, including 
requiring suppliers vvho handle our 
customer data to have privacy clauses 
İn their contracts, have appropriate risk 
mitigation action plans in place and be 
recorded vvithin the local privacy risk 
register, and 


e the incorporation of privacy related 
measures vvithin the nevv product or service 
design process Üprivacy by design?. 


During 2017-18, vve vvill update these 

(and other) requirements to reflect the 
introduction of the European Commission/”s 
General Data Protection Regulations (GDPR). 
VVe vvill also be developing nevv processes to 
ensure that vve deliver a consistent, repeatable 
and standard approach to managing and 
addressing privacy challenges that may arise, 
either from changes in the lavv or from nevv 
and emerging technologies vvith implications 
for customer privacy such as the “Internet of 
Things” The changes to our policies to reflect 
the GDPR vill apply globally, vyherever vve 
operate — not /ust in Europe. 
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The European Commission”s General Data Protection Regulations (GDPR) 


The European Directive on Data Protection 
1995 resulted in each member state 
implementing its ovvn version of data 
protection lavv. This has caused complexity 
in compliance for companies like Vodafone 
vyhich has a legal presence in multiple 
European member states. The current Data 
Protection Directive vvill be replaced by the 
GDPR in May 2018. These nevv regulations 
are intended to set out one pan-European 
Sirclale (eh (oldər- ir Mələyə əladır. as İs-lələliyi 
equally across the European Union and 
equally across the different information 
and communications technologies that 
are central to the daily lives of hundreds of 
millənbdə də (oər əə 


The GDPR bullds on the data protection 
principles found in the original Directive but 
includes more prescriptive requlrements 
for evidence of privacy risk management 
processes, compliance and governance 


structures. The Regulations also require 
privacy to be considered vvithin business 
processing activities by design and by default. 
The nevv rules vvill give supervisory authorities 
and regulators greater povvers to take action 
for breaches or non-compliance vvith the 
requirements, vvith the most severe penalty 
being a fine of €20 million or 426 of annual 
global turnover, vyhichever is the higher. 


Our vvork in this area is overseen by the 
Group privacy team. That team vvill oversee 
the implementation of the GDPR vvhen 

the nevv rules come into force in May 2018 
and vvill then lead the governance process 
designed to ensure GDPR compliance. VVe are 
active participants in a vvide range of debates 
regarding privacy and data protection, 
including the GDPR and the ePrivacy Directive 
revlevv, Our response to the consultation on 
the latter can be found here. 


Customer Privacy 

























